How SSH X11 forwarding is achieved over the browser - ssh

I am planning to implement the functionality given by SSH -X . This is used to open GUI based application remotely. So I want to understand what are the components involved and should be implemented.
I know how to setup this like starting VNC server in the host and assign DISPLAY variable.
And do SSH -X connection from remote client and execute the required GUI app shell script (for example xeyes, xclock etc.,).Please share if anyone is having more advanced information. My requirement is to design a web based "SSH X" client. There are lot of tools available in the market for Web SSH but no tools with SSH X11 forwarding support.

The X11 protocol is intrinsically network transparent, so ssh -X simply sets up a port on the remote system and sets the DISPLAY variable so that X programs write the X11 protocol to that port, which it then streams back to the local side. (This is a simplification; there's also authentication involved.)
If you want to do this in the browser, you'll first have to have some sort of server-side component that does the SSH operations and converts the stream of data to something the browser can use. Browsers do not allow opening arbitrary TCP ports to remote systems in JavaScript, since doing so is a massive security risk.
You'll also have to find some way to render the X11 protocol in the browser. Essentially you'll be implementing a web-based X server (hopefully in something like WebAssembly). You should read the existing specifications for that and look at popular open-source X11 implementations, such as Xorg.
I should point out that this is a colossal amount of work due to the requirement to implement a full X server. VNC-based protocols are much simpler because they don't need to implement drawing primitives, only render (possibly compressed) images streams on the screen.

Related

Seeking SSH emulator that behaves as a terminal on the server side

I write code for embedded control systems and frequently use proprietary black-box modules to communicate with external devices. In my world, RS-232 connectivity is still commonplace. More and more devices, however, are joining the modern world and implementing various TCP and UDP options.
One such device runs an SSH server and interacts with an SSH client opened by the proprietary module. I have to develop code without the device. If this were RS-232, I could simply open a terminal connected to RS-232 and interact with the module, seeing what is sent and sending replies to observe the module's behaviour.
I'm looking for SSH and Telnet "servers" that would allow me to do the same for sessions on those protocols. So far, I've found SSH honeypots that allow me to see payloads from the client, but nothing that lets me send strings in return.
I suspect there's a solution out there, but I simply haven't the vocabulary to describe it. All clues welcome.

Using saltstack ssh

Is there a difference between using salt-proxy ssh and directly salt-ssh? I'm interested because according to documentation both aimed to run remote commands without agent installation on the end machine.
You cant simply do salt-ssh on a proxy minion, for which you would have to write your own custom ssh interface to the remote system, because your proxy minion may not support doing salt-ssh.
How to choose between using salt-ssh vs salt-proxy totally depends on the type of a minion system.
As stated in the saltstack documentation - https://docs.saltstack.com/en/latest/topics/ssh/index.html and
https://docs.saltstack.com/en/latest/topics/proxyminion/index.html
For salt-ssh to be used, the remote system must have python installed - one of the criteria. For example, controlling ubuntu from centos.
As stated in the salt-proxy doc,
Proxy minions are a developing Salt feature that enables controlling
devices that, for whatever reason, cannot run a standard salt-minion.
Examples include network gear that has an API but runs a proprietary
OS, devices with limited CPU or memory, or devices that could run a
minion, but for security reasons, will not.

How to block applications from using SSH tunnel

I am using Little Snitch to control my local applications' internet connection. But when I am at the University, I have to tunnel via ssh to a network-server in order to get an internet connection there.
The problem: If I do so, Little Snitch is not able to control my applications anymore, because then every application uses my ssh tunnel. What's the best way to handle that? Should I block ports on my ssh or is Little Snitch able to manage this?
I am using a Mac and open the ssh connection over the terminal with the following line:
ssh -D 2001 -o ServerAliveInterval=60 username#servername.com
If you use mac MacProxy and for Windows Proxifier are easiest solutions with more benefits. in addition to blocking any program from connecting to your SSH Tunnel you can also set direct access to your internet for some other programs.
Also you can specify ports and/or IPs for each program and lots more...

Shift running X window (display environment) on SSH X11 forwarding

I want to see remotely some running GUI application without kill the current process, I have tried vnc and xrdp, xrdp opens a new blank session, so it is not for me, vnc is good, but not exactly what I need, it uses the screen and devices presents, someone could mess with me moving the mouse or typing on the keyboard.
Therefore I figured out the only way I could do what I need is managing to shift a running X window from one display to another, thus even on a SSH -X (X11 forwarding) I would be able to see it.
I am on this quest for a long time and I didn't found out a conclusive solution, that is the reason I am appealing to you. Could you help me to solve this trouble?
Thanks,
I've never used it myself, but Xpra appears to be the commonly suggested solution; you might also consider xmove. Both of these work by proxying the X client's connection to its server, and keeping track of enough state so that you can switch the proxy's server-side connection among servers and get a sensible result. Without such a proxy, as in "stock" X, it is not possible to disconnect a client from one server and connect it to another, except in the case of a client which is designed specifically to support such behavior.
If you look at the Wikipedia page on the subject there are several apps mentioned.
Xmove
excerpt
xmove is a computer program that allows the movement of X Window
System applications between different displays and the persistence of
X applications across X server restarts.[4] It solves a problem in the
design of X, where an X client (an X application) is tied to the X
server (X display) it was started on for its lifetime. Also, if the X
server is shut down, the client application is forced to stop running.
xmove lets the client disconnect from its current X server, and
connect to a new one, at any time. The transition is completely
transparent to the client. xmove works by acting as a proxy between
the client and server. It is a "pseudoserver" which stores enough
server state so that clients can connect to a new server without being
disrupted.
Xpra
excerpt
xpra or X Persistent Remote Applications is a tool which allows you to
run X clients usually on a remote host and then direct their display
to your local machine without losing any state.1
It differs from standard X forwarding in that it allows disconnection
and reconnection without disrupting the forwarded application. It
differs from VNC and similar remote display technologies in that xpra
is rootless: i.e., applications forwarded by xpra appear on your
desktop as normal windows managed by your window manager, rather than
being all "trapped in a box together". Xpra also uses a custom
protocol that is self-tuning and relatively latency-insensitive, and
thus is usable over worse links than standard X.
Guievict
excerpt
guievict is a computer program which enables the GUI of any
application for XFree86 implementation of X Window to be transparently
migrated to or replicated on another display. Unlike some program
providing similar functionalities, it requires neither prearranging
steps such as re-linking the application program binary nor
re-directing the application process's window system communication
through a proxy like xmove does.
Guievict is based on a small X server extension that enables an
application to retrieve its window state from the X server and a
library of GUI migration functionality that is injected in the
application process at run time. Code injection or runtime
code-patching can be done via the DynInst API. However, guievict
contains its own implementation to avoid requiring users to install
DynInst.
Of the 3 of these, Guievict sounds like what you're looking for, mainly that it can checkpoint the state of X application AppX and migrate it to another X server where it can be restored.
(This answer comes from slm at unix.stackexchange)

What is X Server and Remote Terminal Server?

Can someone explain what is the difference between X server and Remote Terminal servers in simple terms?
For example, Hummingbird Exceed is an X server and Citrix is a Remote Terminal Server. How do these servers work?
A terminal server runs at the "other" machine while you use a remote desktop client to view the other machine's screen.
A X server (of the X11 Window System) runs on your machine while another machine (or several thereof) send their output to your computer.
The most important difference to the end user is probably "culture": With the X Window system you typically work with windows that run on several hosts. (You often sit in front of a quite stripped down workstation, get one application from one computer, another one from another computer.) When working with X things feel very heterogeneous - a special application only runs on a HP workstation while your company is stuffed with suns or linux boxes? No problem, just buy one HP, everone can use that application over the network like as it was local.)
Remote terminal services feel more like another computer sends its complete screen to you, more like you have a 100-Mile-Long monitor and usb cable (with a little lag built in). You typically use a remote desktop client that sends a complete desktop to you.
However in recent times both techniques get close to another - windows remote desktop (which is based on citrix) can send only application windows to your desktop, while a lot of programs based on X11 are theoretically network transparent but practically need to run on the local machine. (Sorry, no 3D shooter over the network - an extreme example).
Which one is better? I don't dare to say. White X11 is a lot more flexible (it was designed with network transparency in mind - it makes absolutely no difference if an application runs local or remote - it is in many aspects more complicated. As long as there was no remote desktop sharing there was a clear advantage, but slowly the gap is closing, for example by terminal services now allowing you to do many things that were available with X11 only in earlier times.)
By the way, the main reason many X11 application still feel a little "snappier" over the network than windows counterparts is the thing that many application programmers on windows still think they always run local and dump a lot of bitmap graphics on the screen - like custom toolbars in ZIP tools. X11 applications did not do this for a long time and chose "ugly but fast" because X11 forces you to think about the network. But as X11 applications get more pretty and Windows programmers more aware about terminal services the difference will dwindle.
Oh and an important point: X11 is deeply ingrained in the Unix way of things, Citrix is mainly used on Windows (in the form of Microsoft's Windows Terminal Services - which originated in Citrix code). So lock a terminal services admin and a X11 operator into a cage and step back watching bloodshed when they figure out who they are locked in with ...
An X server most likely refers to the X11 windowing system, which is the GUI that most unix flavors (including linux) use. It's a client/server setup, and has been around for a very long time
A remote Terminal Server in the case of Citrix is a remote windows instance that can be connected to with a special Citrix client. The Citrix environments I'm familiar with are all MS Windows solutions, ie they work similar to X, but are for Windows Servers only
They both sort of operate in similar fashions, which is serving a remote client a windowing solution. IE, they both let a server run the actual application while the display of that application is sent back over the network to a client PC.
A 'Terminal Server', as it's called, basically allow you to connect to a Windows session remotely. They employ a bit of magic to make the experience snappy over connections with latency. The Windows GUI system isn't network transparent like X, so it took a while longer to get this feature. Windows Server 2008 and Citrix products have the ability to let you use a single application, unlike the traditional Terminal Server.
X is the GUI protocol for Unix/Linux. The X server accepts connections and displays their windows. The clients are actually the programs themselves. These clients can be local or remote, it doesn't matter to X. X just displays them as requested, on the local screen or over a TCP connection. This is lower level stuff than terminal servers, and allows graphical programs to run on one machine and display on another. X11 doesn't compress or encrypt the traffic like RDP does (although SSH can help you out there).
The linux equivalent of RDP is NX. They provide free software to run NX servers/clients. I've used it and it works pretty well.